Provide the appropriate Internet bandwidth for the services you select when you migrate data to the Office 365 data centers

Warning:

Office 365 requires that specific ports and protocols be accessible to support the use of online services and migration tools. Use of third-party SSL certificates is required to secure your organization’s Office 365 deployment.

These network considerations come from feedback and lessons learned during many Office 365 deployments. Evaluate these considerations independently against your network environment to see if they apply:

Proxy server and firewall devices need to be properly sized. Many of these devices that customers have aren’t sized for the additional traffic that Office 365 creates. Verify that the Internet traffic and the additional overhead to protect that traffic are included in the sizing calculation. Ensure the overhead for the following traffic protection mechanisms are included in your calculations:

Evaluate the customer’s network to determine if all the network devices between client computers and Office 365 are configured properly. Is the Maximum Transmission Unit (MTU) size correct for all their network devices? Search for black hole routers.

Check the network ports on your firewalls and routers for autonegotiation or autodetection of network speeds. Occasionally, network ports that use autonegotiation or autodetection of network speeds causes a mismatch on one end of the network link. This results in communication errors.

You can capture network packet traces to determine if there are lots of packet retransmissions, packet fragmentation, and so on.

Is network address translation (NAT) being used? A large NAT pool of clients could be flooding code access security (CAS) with requests. For more information, see NAT support with Office 365.

Ensure that your proxy or firewall is configured for Office 365 IP address and URL requirements. For more information, see Office 365 URLs and IP address ranges. Be aware that some firewalls cannot accommodate Classless Interdomain Routing (CIDR) notation or Fully Qualified Domain Names (FDQNs) on either the include list or the exclude list. For these devices, adding the IP addresses or ranges directly is still an option.

We strongly recommend that you enable routing to the root domain names (such as *.outlook.com, *.microsoftonline.com, *.lync.com, and *.sharepoint.com) instead of routing to specific IP address subnets. IP addresses can change without prior notice. This might cause outages for your users if you’re relying on IP address subnets being manually entered into your firewall or proxy. For more information, see Office 365 URLs and IP address ranges.